formbook | 9b0bfd03394e34336bb2dc5bc9001243a95c553ca2cdaf3d79820787a4e39226

General

Target

jetsjets6654.exe
Size

1.2MB
MD5

957242e6d5769a32406189f7f05f50af
SHA1

42297b45d76f9c475842fe6cbc60426aea470d8c
SHA256

3eeec1884c0a7d2c7c49991d08bcf731f563fd55faff77cf02b5c6f73f34b5f1
SHA512

e812a0d87b4c3af2bc2f7c25cb11256414a1b9577e405f8e0cfa86384bbdb998da21fdd015c17c57188db4e107b746acc0d579504b81050c6e1af05b101c305a
SSDEEP

24576:iAOcZXp00Sjm2GbobhjkmK3cLSzv7w84UopeOH+2UNUquptQZCU:oDl44U3hvUUbJZupXU

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1348-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1348-69-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/624-72-0x0000000000400000-0x0000000000B55000-memory.dmp	formbook
behavioral1/memory/624-73-0x000000000041F120-mapping.dmp	formbook
behavioral1/memory/624-77-0x0000000000400000-0x0000000000B55000-memory.dmp	formbook
behavioral1/memory/1348-84-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2016-90-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1196-92-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1196-96-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

kgxqxqi.pif

pid process

1884 kgxqxqi.pif
Loads dropped DLL 4 IoCs

Processes:

jetsjets6654.exe

pid process

1280 jetsjets6654.exe
1280 jetsjets6654.exe
1280 jetsjets6654.exe
1280 jetsjets6654.exe

pid	process
1884	kgxqxqi.pif

pid	process
1280	jetsjets6654.exe
1280	jetsjets6654.exe
1280	jetsjets6654.exe
1280	jetsjets6654.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

kgxqxqi.pifRegSvcs.exeRegSvcs.exemstsc.exe

description	pid	process	target process
PID 1884 set thread context of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 set thread context of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1348 set thread context of 1372	1348	RegSvcs.exe	Explorer.EXE
PID 624 set thread context of 1372	624	RegSvcs.exe	Explorer.EXE
PID 1196 set thread context of 1372	1196	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

RegSvcs.exeRegSvcs.exemstsc.execmd.exe

pid	process
1348	RegSvcs.exe
1348	RegSvcs.exe
624	RegSvcs.exe
624	RegSvcs.exe
1196	mstsc.exe
2016	cmd.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe
1196	mstsc.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

RegSvcs.exeRegSvcs.exemstsc.exe

pid process

1348 RegSvcs.exe
624 RegSvcs.exe
1348 RegSvcs.exe
1348 RegSvcs.exe
624 RegSvcs.exe
624 RegSvcs.exe
1196 mstsc.exe
1196 mstsc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exemstsc.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1348	RegSvcs.exe
Token: SeDebugPrivilege	624	RegSvcs.exe
Token: SeDebugPrivilege	1196	mstsc.exe
Token: SeDebugPrivilege	2016	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1372 Explorer.EXE
1372 Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
1372	Explorer.EXE
1372	Explorer.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

jetsjets6654.exekgxqxqi.pifExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1280 wrote to memory of 1884	1280	jetsjets6654.exe	kgxqxqi.pif
PID 1280 wrote to memory of 1884	1280	jetsjets6654.exe	kgxqxqi.pif
PID 1280 wrote to memory of 1884	1280	jetsjets6654.exe	kgxqxqi.pif
PID 1280 wrote to memory of 1884	1280	jetsjets6654.exe	kgxqxqi.pif
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 1348	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1884 wrote to memory of 624	1884	kgxqxqi.pif	RegSvcs.exe
PID 1372 wrote to memory of 1196	1372	Explorer.EXE	mstsc.exe
PID 1372 wrote to memory of 1196	1372	Explorer.EXE	mstsc.exe
PID 1372 wrote to memory of 1196	1372	Explorer.EXE	mstsc.exe
PID 1372 wrote to memory of 1196	1372	Explorer.EXE	mstsc.exe
PID 1372 wrote to memory of 2016	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2016	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2016	1372	Explorer.EXE	cmd.exe
PID 1372 wrote to memory of 2016	1372	Explorer.EXE	cmd.exe
PID 1196 wrote to memory of 1412	1196	mstsc.exe	cmd.exe
PID 1196 wrote to memory of 1412	1196	mstsc.exe	cmd.exe
PID 1196 wrote to memory of 1412	1196	mstsc.exe	cmd.exe
PID 1196 wrote to memory of 1412	1196	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\jetsjets6654.exe
  "C:\Users\Admin\AppData\Local\Temp\jetsjets6654.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\2_44\kgxqxqi.pif
    "C:\2_44\kgxqxqi.pif" bslxdvw.ewe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2_44\ahlaua.wee

Filesize
370KB

MD5
1f7784b35717cf5181ee1c018937792c

SHA1
66d56f668f55e4258f850213229e719b2b01de50

SHA256
a21e8ca9bbb50777a3835572ed47b631721845992ad1023bd71e11850c5f7306

SHA512
1cbc109083f22de2ee7eb43ad1ff601120a3b8e558ad032e58779e91f81b82f38480c2b76eb7ce201102fb8392d3043309e16b6877d4ba4f40e2204822ecf647

Download Submit
C:\2_44\bslxdvw.ewe

Filesize
209.8MB

MD5
9cb368a913059188e9b574baf7a8d635

SHA1
50b0670ef6f2d549c7df40703c25d0c49978224a

SHA256
8370925435336bbe0e555746e495ece28caf01f5af58091233b02c64d607c4a8

SHA512
9fea90d4432992321a92e81778a71d4ce450330709786060caba9ab63c1f7940f0de1d676b4be6a23727f4096c63eb16af426d8ce02808ca75085b8d2e97c83c

Download Submit
C:\2_44\dqpro.mp3

Filesize
37KB

MD5
39dd82a2f9cbca0b7cc3175df545834f

SHA1
e7abbd2ddb91092e5a9eaa8360da0cdc23485781

SHA256
3ee3bb319091cc00f0e950a54f65642878059fb600bc321a2ad8a91aed28375d

SHA512
7e3e43472a184ece773555b9ae3aba6d86fe1466e30d3031dfaa4da3b070fd3e02834faec2523698773a96fd13ef586ab3ba6fe64197abdce307d70da8dc0eb6

Download Submit
C:\2_44\kgxqxqi.pif

Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
\2_44\kgxqxqi.pif

Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
\2_44\kgxqxqi.pif

Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
\2_44\kgxqxqi.pif

Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
\2_44\kgxqxqi.pif

Filesize
1.3MB

MD5
92b9ea22338dcd34bc1d8bef60a635a4

SHA1
b7da7f7f1533e073463ba02f986e5c17e15d39c3

SHA256
21dd8e3960c9e3f987a40d30fdb7ebbe9139dfa9b5e5700e36cbd209f36269d0

SHA512
ff8922aab4ef89f6c67921274a35c558f88e419e43312252a744123e25981f2f297c6bc00ac57d462f66cf99ce24cc642a2fbf84861c0875d30486271fb712f5

Download Submit
memory/624-77-0x0000000000400000-0x0000000000B55000-memory.dmp

Filesize
7.3MB

Download
memory/624-81-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/624-70-0x0000000000400000-0x0000000000B55000-memory.dmp

Filesize
7.3MB

Download
memory/624-72-0x0000000000400000-0x0000000000B55000-memory.dmp

Filesize
7.3MB

Download
memory/624-73-0x000000000041F120-mapping.dmp

Download
memory/624-80-0x0000000000F30000-0x0000000001233000-memory.dmp

Filesize
3.0MB

Download
memory/1196-92-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1196-93-0x00000000022A0000-0x00000000025A3000-memory.dmp

Filesize
3.0MB

Download
memory/1196-83-0x0000000000000000-mapping.dmp

Download
memory/1196-94-0x0000000002070000-0x0000000002103000-memory.dmp

Filesize
588KB

Download
memory/1196-91-0x0000000000930000-0x0000000000A34000-memory.dmp

Filesize
1.0MB

Download
memory/1196-96-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1348-74-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1348-78-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/1348-69-0x000000000041F120-mapping.dmp

Download
memory/1348-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1348-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-82-0x00000000063F0000-0x00000000064C3000-memory.dmp

Filesize
844KB

Download
memory/1372-95-0x0000000006B60000-0x0000000006C12000-memory.dmp

Filesize
712KB

Download
memory/1372-79-0x00000000070D0000-0x0000000007245000-memory.dmp

Filesize
1.5MB

Download
memory/1372-97-0x0000000006B60000-0x0000000006C12000-memory.dmp

Filesize
712KB

Download
memory/1412-86-0x0000000000000000-mapping.dmp

Download
memory/1884-59-0x0000000000000000-mapping.dmp

Download
memory/2016-89-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/2016-90-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2016-88-0x000000004A920000-0x000000004A96C000-memory.dmp

Filesize
304KB

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads